net-mail/dovecot installs it's configuration into /etc/dovecot.conf dovecot.conf has permissions 0644. dovecot.conf can contain passwords to SQL databases. Thus those passwords are readable to everyone. It should be installed with permissions 0600, i.e. something like this: --- dovecot-0.99.10.5.ebuild 2004-06-12 12:09:21.144345494 +0200 +++ dovecot-0.99.10.5-r1.ebuild 2004-06-12 12:10:14.979711960 +0200 @@ -93,6 +93,7 @@ fi insinto /etc doins dovecot.conf + fperms 0600 /etc/dovecot.conf make DESTDIR=${D} install || die rm ${D}/etc/dovecot-example.conf
g2boojum Can you/we make this change for dovecot?
Thanks! Fixed in CVS. I don't have time to look at this right now, but does dovecot need to run as root?
Short answer: yes. More detailed: Things are broken into multiple processes running with minimal required privileges. The imap-master runs as root and the imap-login processes are run as non-privileged user (user dovecot). The imap-auth processes can be run as root or non-privileged user depending on the authentification method which is used (root is needed for shadow and pam). This can be configured in dovecot.conf.
